In computing environments, it is often desired to control access to a particular resource. Examples of such resources include files, directories, databases, applications, modules, data structures, drivers, and so forth. There are a variety of conventional mechanisms for controlling access to a resource. For instance, Access Control Lists (ACLs) are associated with a resource and essentially define an access control policy for accessing that resource. The ACL includes a number of Access Control Elements (ACEs) that each define access permissions for a corresponding principal. The principal may be a particular user or another entity, such as another application, or perhaps a group of users and/or applications. As the resource is requested by a particular principal, the ACL for that resource is checked to verify that the requested principal has the permission to perform the requested action on the resource. The principal is then responded to by either denying or granting the requested access. In ACL-based access control models, the principal does not typically know of the underlying policy for controlling access to a resource.
Other conventional access control policy approaches have a more flexible mechanism for defining policy. For example, Web Service (WS) is a set of specifications for providing network-based services. One of those specifications is WS-SecurityPolicy. If a principal were to make a request to access a resource, a resource manager may respond with the actual policy that is to be satisfied in order to access the resource. Typically, in WS-SecurityPolicy, this policy information is provided in the form of an eXtensible Markup Language (XML) structure to the principal. The principal may then comply with that policy. The construction of policy can tend to be labor intensive.
Accordingly, there is a diversity of technology in controlling access to resources through the use of policy.